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Cellular Cryptography and GSM 


igital cellular systems are ona growth 

curve to overtake analog systems in 

just a few years. More than five and 
a half million digital handsets were sold in 
1997, up from less than one and a half million 
in 1996. 

One of three digital technologies compet- 
ing for customers in the United States is the 
Global System for Mobiles (GSM) standard. 
Originating in Europe in the early 1980s, 
GSM is now serving more than 100 million 
customers around the world, and more than 
two million subscribers in the United States. 

Rather than holding customer information 
in the phone itself, each GSM telephone uses 
aremovable, personalized smartcard called a 
Subscriber Identity Module (SIM). The SIM 
is actually a tiny computer, complete with 
memory storage and a low power micropro- 
cessor. Besides holding subscriber informa- 
tion, it also performs security functions to 
protect the customer and the network. 

Probably the two most common areas of 
vulnerability in a cellular telephone network 
are fraudulent use of service and interception 
of call contents. The GSM SIM makes use of 
cryptography to reduce fraud and provide 
some measure of confidentiality. 

Before a SIM is released to a customer it is 
programmed with a unique, secret 128-bit 
long key called Ki. Once programmed, Ki is 
supposed to remain hidden and invisible, avail- 
able only to special computer algorithms that 
run internally on the SIM. A copy of this 
secret key is also kept by the network operator 
in an Authentication Center (AuC). 

The SIM also contains two cryptographic 
algorithms referred to as A3 and A8, which 
are used for authentication and confidential- 
ity. 


i Authentication 


One of the primary security functions of 
the SIM is to authenticate the subscriber to the 
network. A GSM network verifies the identity 
of a subscriber through a challenge-response 
process. When a mobile subscriber requests 
service, the network sends a mathematical 
challenge to the phone, which it must answer 
correctly before being granted access. 

The challenge sent by the network to the 
phone consists of a 128-bit number called 
RAND. When the phone receives the RAND 
challenge it passes it into the SIM for process- 
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ing. The SIM card sends RAND and the 
secret 128-bit key Ki through the A3 algo- 
rithm to produce a 32-bit “signed response” 
(SRES). This number is transferred out of the 
SIM into the phone, where it is then transmit- 
ted to the network. This is the phone’s re- 
sponse to the network’s challenge. 

Meanwhile the network has performed 
the same set of operations. Using the same 
value of RAND and an identical copy of Ki, 
the network has computed its own value for 
SRES. 

The network compares the SRES received 
from the phone to its own SRES: If the two 
values are the same, it assumes the phone is 
legitimate and allows service to proceed. If 
the two values are not the same, the network 
assumes the SIM does not have the proper 
secret key Ki and therefore denies service to 
the phone. 

Since the RAND value changes with ev- 
ery access attempt, an eavesdropper record- 
ing the SRES response will not be able to 
successfully reuse it later. Even if by chance 
a particular RAND challenge happened to be 
reused, a GSM network has the flexibility to 
authenticate the phone as often as it wishes, 
perhaps several times throughout the dura- 
tion of a call. A legitimate phone can easily 
return the correct answer each time, whereas 
a cloned phone using a single successful 
SRES will be thwarted. 


@ Confidentiality 


The SIM also provides information needed 
to encrypt the radio connection between the 
phone and the base station. In order to under- 
stand how the encryption works, a little back- 


ground is necessary. 

GSM uses a technique called time division 
to share the radio channel with up to seven 
other users. Each user takes turns using the 
common radio channel, sending and receiv- 
ing information only during one of the eight 
available time slots. Each time slot is very 
short, lasting only about 4.6 milliseconds, and 
is identified by a frame number. A GSM 
conversation uses two frames, one going from 
the base station to the phone (called the for- 
ward direction) and another going from the 
phone back to the base station (called the 
reverse direction). Each of these frames con- 
tains 114 bits of user information, which is 
almost always digitized and compressed 
speech. 

So, every 4.6 milliseconds the phone re- 
ceives 114 bits of information from the base 
station and transmits another 114 bits to the 
base station. It is these 228 bits that require 
encryption to protect them from eavesdrop- 
pers. 

Using the RAND challenge and the secret 
key Ki, the SIM runs the A8 algorithm to 
produce a 64-bit long cipher key called Ke. 
Ke is transferred out of the SIM and into the 
phone, where it is used by a third algorithm 
called AS. 

AS uses Ke and the current frame number 
to produce a key stream of 228 bits, half of 
which decode the incoming forward channel 
and the other half encode the outgoing reverse 
channel. AS resides in hardware in the phone, 
not in the SIM, and must operate quickly and 
continuously to generate a fresh set of 228 bits 
every 4.6 milliseconds. Also, because GSM 
handsets are designed to operate in different 
networks, the AS algorithm must be common 
to all GSM networks. 

There are presently at least two different 
implementations of A5. The first, called AS/ 
1, provides the strongest level of encryption 
across the air link. Although purportedly us- 
ing 64 bit keys, in actual practice the keys are 
no more than 54 bits long. The second, A5/2, 
uses a 16-bit key and is designed for export to 
non-Western countries. 

Since encryption requires additional hard- 
ware in each base station, raising the cost and 
complexity of the network, a third option is to 
employ what’s euphemistically called A5/0 
— that is, no encryption at all. 


@ Weaknesses 


GSM security is based on keeping Ki a 
secret. If Ki could somehow be extracted 
froma SIM, the holder would be able to create 
a duplicate SIM. As demonstrated in April of 
this year, there is a weakness in most GSM 
networks that allows Ki to be determined. 

The A3 and A8 algorithms are really inter- 
face specifications, not the actual routines 
themselves. A3 and A8 define the inputs 
(RAND and Ki) and the outputs (SRES and 
Ke) of each algorithm, but don’t specify ex- 
actly how each will produce their result. Each 
GSM network operator can basically imple- 
ment whatever security routines they wish as 
long as the inputs and outputs match the 
definitions for A3 and A8. In addition, since 
A3 and A8 take the same inputs, a combined 
algorithm called A38 is also defined. 

GSM specifications provide a “reference 
implementation” for A38, spelling out the 
details of an example computer program that 
will produce SRES and Ke. It turns out that 
almost all network operators have imple- 
mented this example, referred toas COMP 128. 

COMP! 28 was designed in secret and re- 
leased only to a limited number of groups 
under strict non-disclosure agreements. Its 
strength was based on what cryptographers 
call security through obscurity, relying on 
that fact that since so few people knew the 
details no one would find any weaknesses and 
the algorithm would remain unbroken. 

As usually happens with this type of “secu- 
rity,” the details of COMP128 were eventu- 
ally pieced together from leaked documents 
and other data. A group of researchers in 
California assembled the algorithm and soon 
found that it had a serious flaw. 

COMP 128 is what's known as a hash 
function, To generate an answer to a network 
challenge it takes a total of 256 bits of infor- 
mation (RAND and Ki) and produces a 32-bit 
answer (SRES). Because there are so many 
possible values of RAND as compared to 
possible SRES values, it is likely that more 
than one value of RAND will produce the 
same SRES. This is known as a collision, and 
in the case of COMP 128 it turns out that such 
collisions “leak” information about Ki. 

By selecting the proper values of RAND, 
anattackercan eventually determine the value 
of Ki by examining the SRES collisions. 
Using a smart card reader and some custom 
software, in April of this year the researchers 
demonstrated this attack by extracting the 
secret key from a Pacific Bell SIM in about 
eight hours. Their software repeatedly re- 
quested that the SIM execute the COMP128 
authentication algorithm and examined the 


results, slowly piecing together the value of 
Ki. Once they had the secret key they copied 
itinto another SIM card and effectively cloned 
a GSM phone. 

The researchers also discovered an inter- 
esting fact about Kc, the cipher key used to 
encrypt the contents of aGSM call. Although 
Ke is a 64-bit key, the COMP128 algorithm 
forces the last 10 bits to all zeros, effectively 
reducing it to a 54-bit key. It appears that the 
original designers, probably under pressure 
from intelligence and law enforcement agen- 
cies, deliberately weakened the protection 
that AS provides. 

The law in the United States requires a 
court order before a law enforcement agency 
is allowed to wiretap a telephone, cellular or 
otherwise. Legal wiretaps are almost invari- 
ably performed at the mobile switching cen- 
ter, where the mobile network joins with the 
rest of the public telephone network. The call 
at that point is carried over wires that can 
easily be tapped, making eavesdropping rela- 
tively easy. Very few legal wiretaps are done 
by intercepting the radio portion of the call, 
since it’s much easier, safer, and more reliable 
to do so at the switch. Why then would law 
enforcement agencies be interested in weak 
radio encryption, if not to perform illegal 
wiretaps? 


B Wireless Surveillance 


Things are still boiling on the legislative 


front regarding wiretapping. If you recall, in 
1994 Congress passed the Communications 
Assistance for Law Enforcement Act 
(CALEA), which requires telecommunica- 
tions equipment and service providers tomake 
the nation’s wired and wireless telephones 
“wiretap friendly.” Providers and equipment 
manufacturers are facing an October deadline 
to meet a set of compliance requirements that 
haven't yet been approved by all sides. 

The telecommunications industry, as re- 
quired by CALEA, has developed a set of 
technical standards to implement the law. The 
FBI, representing the nation’s law enforce- 
ment agencies, has blocked implementation 
of the standards, arguing that they don’t go far 
enough in providing surveillance capabili- 
ties. The FBI has a “punch list” of require- 
ments that the telecommunications industry 
and privacy advocates say goes far beyond 
what Congress intended and what CALEA 
allows. 

This spring the deadlock ended up in the 
hands of the Federal Communications Com- 
mission (FCC), who will study the issue, take 
public comments, and eventually issue a rul- 
ing to arbitrate the dispute. 

More information on GSM, CALEA, and 
other wireless topics is available on my website 
at www.decode.com, and in my book /nside 
Mobile Telephone Systems from Index Pub- 
lishing. | am also reachable via electronic 
mail at dan@decode.com. Until next time, 
happy monitoring! 
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